6 minute read
You can encrypt the root dataset of a new storage pool to further increase data security. Please note that you will be responsible to remember or otherwise back up passphrases or other access methods to your encrypted data.
Data-at-rest encryption is available with:
- Self Encrypting Drives (SEDs) using OPAL or FIPS 140.2 (Both AES 256)
- Encryption of specific datasets (AES-256-GCM in TrueNAS 12.0)
Keys for data-at-rest are managed on the local TrueNAS system. The user is responsible for storing and securing their keys. The Key Management Interface Protocol (KMIP) is included in TrueNAS 12.0.
Encrypting a Storage Pool
To begin encrypting data, follow the same process as creating a new pool and set the Encryption option at the top of the page.
Check the Encryption box, read the Warning, click the Confirm box and then click the I Understand button.
The default encryption cipher is recommended, but there are other ciphers available.
Encrypting a New Dataset
New datasets within an existing storage pool can also be encrypted without having to encrypt the entire pool. To encrypt a single dataset, go to Storage > Pools, open the (Options) for an existing dataset, and click Add Dataset. Look at the Encryption Options and, if the parent dataset is unencrypted, unset the Inherit option.
You can then set Encryption for the new dataset and choose which Type of authentication to use: a Key or a Passphrase. Encryption options are the same for either a new pool or dataset.
Creating a new encrypted pool automatically generates new key file and prompts to download it. Always back up the key file to a safe and secure location.
Manually back up a root dataset keyfile by opening the pool (Settings) menu and selecting Export Dataset Keys.
To change the key, click (Options) and select Encryption Options.
Enter your custom key or click Generate Key. Remember to back up your key files after creating or updating them.
To use a passphrase instead of a keyfile, click (Options) and select Encryption Options.
Change the Encryption Type from
Encryption Type: How the dataset is secured. Choose between securing with an encryption Key or a user-defined Passphrase.
Passphrase: User-defined string used to decrypt the dataset. Can be used instead of an encryption key. WARNING: the passphrase is the only means to decrypt the information stored in this dataset. Be sure to create a memorable passphrase or physically secure the passphrase. Must be longer than 8 characters.
pbkdf2iters: Number of password-based key derivation function 2 (PBKDF2) iterations to use for reducing vulnerability to brute-force attacks. Entering a number larger than 100000 is required. See PBKDF2 for more details.
Locking and Unlocking Datasets
Status of a dataset can be determined based on the icon used after the name.
Dataset Unlocked Icon : lock_open
Dataset Locked Icon : lock
Encrypted datasets can only be locked and unlocked if they are secured with a passphrase instead of a keyfile. Before locking a dataset, verify that it is not currently in use, then click (Options) and Lock.
Use the Force unmount option only if you are certain that no one is currently accessing the dataset.
A dialog window remains visible while the dataset is locked.
After locking a dataset, the unlock icon changes to a locked icon. While the dataset is locked, it is not available for use.
To unlock a dataset, click (Options) and Unlock.
Enter the passphrase and click Submit. If there are child datasets that are locked with the same passphrase you can unlock them all at the same time by setting Unlock Children.
Confirm that you want to unlock the datasets.
A dialog confirms when datasets are successfully unlocked.
The dataset listing changes to show the unlocked icon.
Conversion from GELI
It is not possible to convert an existing FreeNAS/TrueNAS 11.3 or earlier GELI-encrypted pool to use native ZFS encryption.
Migration from GELI
Data can be migrated from the GELI-encrypted pool to a new ZFS-encrypted pool. Be sure to unlock the GELI-encrypted pool before attempting any data migrations. The new ZFS-encrypted pool must be at least the same size as the previous GELI-encrypted pool. Two options exist to migrate data from a GELI-encrypted pool to a new ZFS-encrypted pool: file transfer or ZFS send/receive.
In future TrueNAS versions, a decrypted GELI pool will be able to migrate data to a new ZFS encrypted pool using an advanced Replication Task (NAS-107463). Until this time, GELI encrypted pools will continue to be detected and supported in the TrueNAS web interface, so you are not required to immediately migrate data away from GELI pools. Before using the command line to migrate data, it is recommended to consider the benefits and drawbacks of immediately migrating from GELI to ZFS.
The first method is to use
rsync or other file transfer mechanisms (
rdiff-backup) to copy the data between the pools.
WarningTransfering your files in this method will not preserve file ACLs.
ZFS Send and Receive
The second method is to use ZFS send/receive commands.
The following is an example walkthrough. It is not an exact step-by-step guide for all situations. Research ZFS send/receive before attempting this. There are many edge cases that cannot be covered by a simple example.
Do not delete your GELI dataset until you have verified you have successfully migrated the data. Failure to do so may result in data loss.
GELI Pool = pool_a Origin Dataset = dataset_1 Latest Snapshot of GELI Pool = snapshot_name ZFS Native Encrypted Pool = pool_b Receieving Dataset = dataset_2
- Create a new encrypted pool in Storage > Pools, as described at the beginning of this article.
- Open the Shell. Make a new snapshot of the GELI pool and dataset with the data to be migrated:
zfs snapshot -r pool_a/dataset_1@snapshot_name.
- Create a passphrase:
echo passphrase > /tmp/pass.
- Use ZFS send/receive to transfer the data between pools:
zfs send -Rv pool_a/dataset_1@snapshot_name | zfs recv -o encryption=on -o keyformat=passphrase -o keylocation=file:///tmp/pass pool_b/dataset_2.
- When the transfer is complete, go to Storage > Pools and lock the new dataset. After locking the dataset, immediately unlock it. TrueNAS prompts for the passphrase. After entering the passphrase and the pool is unlocked, you can delete the
/tmp/passfile used for the transfer.
- If desired, you can convert the dataset to use a keyfile instead of a passphrase. To use a passphrase instead of a keyfile, open the dataset (Options) and click Encryption Options. Change the Encryption Type from Passphrase to Key and save. Remember to back up your keyfile immediately!
- Repeat this process for every dataset in the Pool that needs to be migrated.
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.